Should We Be Worried? The State of Cybersecurity in New Zealand

The digital world offers incredible opportunities for New Zealand, but it also exposes us to significant risks. While individual government agencies have cyber security plans, a unified national strategy – encompassing industry, citizens, and government – remains elusive. This fragmented approach, coupled with limited resources, leaves us potentially exposed in the face of evolving cyber threats.

Kendra Ross described the challenges we face, the level of resourcing our government would need to invest in my recent interview with her, which is well worth a watch / listen - Fireside Chat with Kendra Ross on all things Cyber Security. It’s fantastic someone with her experience in this space is so passionate and motivated to improve our collective capability and infrastructure.

A Fragmented Defense

The World Economic Forum's 2024 Global Risks Report paints a concerning picture. Misinformation and disinformation (#2 on the list) can easily spread online, eroding trust and social cohesion. Cybersecurity threats (#8) are on the rise, with cyberattacks potentially crippling critical infrastructure. Automation of jobs (#10) could lead to social unrest if not managed carefully.

The report also raises concerns about autonomous weapons systems and AI influencing military decisions. How Deepfakes and AI-generated propaganda could further blur the lines of truth. Plus the increasing digital divide, and how unequal access to technology deepens existing inequalities, potentially leading to social unrest as some populations feel left behind. We should see this report as a real wakeup call.

New Zealand's current cyber security approach, with its decentralised plans, doesn’t appear to be be robust enough to effectively address these complex and interconnected issues, just look at a few of the headlines on the big ticket events last year, not to mention the romance and bank scams which impact citizens every day:

• 20% of NZ cybersecurity incidents relate to cloud platforms - from Techblog

• Money-motivated cyber attacks outnumber those carried out by nation-states - from RNZ

• NZ police among agencies in cybercrime takedown of LockBit ransomware group - from RNZ

• New Zealand university operating despite cyberattack - from the Record

• Suspected cyberattack crashes Auckland Transport card network - from RNZ

Under-resourced for the Fight

Adding fuel to the fire is the stark reality of New Zealand's cyber security budget. Industry estimates suggest a government spend of around $30-$50 million NZD when you tot up funding for CERT, NetSafe and estimate funding buried inside DIA, GCSB, NZ Police, NCSC and others.

This is an area I investigated extensively as a member of the former private sector advisory group to government CSAC. Quoting our report we advised the government to significantly lift their investment in cyber prevention and response suggesting an estimated $250 million NZD is needed to adequately address our risk profile. To quote one of CSAC reports:

“Based on the investment quantum in Australia and the United Kingdom and adjusted down for local scale, this suggests an additional annual spend of between $200 million and $300 million.”

Private sector spend millions in this space, government spends Billions on our physical defense force ($5.3B was reported last year) yet our investment in protecting the nation from cyber crime is a tiny drop in the bucket. Upshot is this leaves us vulnerable to sophisticated cyberattacks that can have devastating consequences.

A Call to Action

The time is now for a unified national cyber security strategy. The DPMC published one in 2019 which - like most government strategies - looks great on paper but appears to lack follow through, the voice and role of the private sector or citizens, not to mention is already out of date. Below this section is a clip of it’s 5 strategic goals.

It’s time to get serious, government and the private sector need to collaborate to develop a strategy which will:

• Foster collaboration: Industry, government, and citizens need to work together to identify and address cyber threats.

• Invest in cyber defense: Increased funding is crucial to develop robust cyber defenses, including building a skilled cyber workforce.

• Empower citizens: Public awareness campaigns can educate citizens on how to identify and avoid cyber threats.

By taking these steps, New Zealand can build a more resilient digital infrastructure, safeguarding our economy, security, and way of life. We need to take our virtual boarder as seriously as we take our physical boarder security. This is a national issue.

I know I have already asked you all to step up and help solve our future of work preparedness challenges, this one is just as important for us to collectively solve or we will continue to find ourselves at the mercy of an increasingly well resourced, sophisticated and prolific industry extorting us as individuals, businesses and government agencies. Keen to join this discussion?